A more or less complete guide on a FUD payload

**Before I start: this guide will not feature any commands so you cant really copy and paste. This is not for skids.

AV evasion is an important factor in almost all engagements. You cant really use any pre-made package such as msfvenom or veil as it will alway be detected by one of the following parts of a GOOD antivirus program.

Part 1: The raw, basic hash check. On Linux you can easely check the md5 of a file from the CLI. This will show a unique string of characters that is specific to that piece of code, written in that specific way. AV programms have a central database of unacceptable hashes. This is actaully easy to bypass. You can add comments or useless functions (ones that add and multiply numbers for example) to change that. I also reccomend to change the names of all variables.

Part 2: A sandbox check. Here your programm will run in a simulated enviroment. It might sound complex but its easyer than you think to bypass. First of all, some programms dont even do that on some code- from my experience some compiled languages dont invoke a sandbox enviroment. Not only that, but the sandbox enviroment does not last forever. It usually sits there for about five seconds and if anything is flagged, the file is removed, if not, the file is let to run free. Bypassing that is not that hard. You can sandwich a sleep function between math or system data collection (such as seeing if its a Nvidia or AMD gpu for example).

Part 3: The network trace. Some more popular AV programs will also see the traffic on your network. Unless some settings are changed on the handler or the process is not migrated to something legitimate so that the network traffic blends in, it will be flagged. This is what I am dealing with right now. My current solution is to either obfuscate the network traffic (would appriciate input on that) or to migrate the process ASAP.

TL; DR: change source code, add sleep and delay functions and migrate the process.

submitted by /u/StillPackage4369
[link] [comments]

from hacking: security in practice https://ift.tt/3sNW7iX

Comments